For anything hijacked you may also need an SNAT rule so DNS traffic to PiHole from the Green LAN appears to come from Green0 and not the LAN IP. This is because otherwise packets get sent from a LAN device from to IPfire and get redirected to PiHole which is also on the green LAN. PiHole returns the packet directly to the LAN device which won’t like it as he sent his packet to Green0 and will only accept a return packet from where he sent it and not direct from PiHole.
2 Likes